Skip to main content

Apache DolphinScheduler CVE-2026-41280

| EUVD-2026-37581 CRITICAL
2026-06-17
Apache Authentication Bypass
Share

Severity by source

vuln.today AI
5.4 MEDIUM

Network-accessible API requires a valid login (PR:L, AV:N); task deletion yields limited integrity and availability impact with no confidentiality loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Patch available
Jun 17, 2026 - 11:01 EUVD
Analysis Generated
Jun 17, 2026 - 02:17 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

Articles & Coverage 1

News Critical Incorrect Authorization in Apache DolphinScheduler API - CVE-2026-41280 Jun 17, 2026

AnalysisAI

Incorrect Authorization in Apache DolphinScheduler's API module (versions prior to 3.4.2) allows any authenticated user holding basic system login privileges to delete task definitions belonging to projects outside their authorized scope. The flaw bypasses project-level access controls server-side, enabling cross-project destructive operations without requiring elevated roles. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege system account
Delivery
Enumerate task definition IDs across projects
Exploit
Craft deletion API request for unauthorized project task
Execution
Server skips project-level authorization check
Impact
Task definition permanently deleted in victim project
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session on the target Apache DolphinScheduler instance - any account with system login privileges is sufficient, and no elevated role (admin, project owner) is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was provided by NVD or the Apache advisory, so all metric assessments are inferred from the vulnerability description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker with a low-privilege DolphinScheduler account enumerates task definition identifiers across projects (e.g., via API responses or error messages) and identifies tasks belonging to a project they have no authorization to manage. The attacker submits a deletion API request referencing those task IDs; because project-level authorization is not enforced, the server accepts and processes the request, permanently deleting workflow task definitions and disrupting pipelines in the victim project. …
Remediation Upgrade Apache DolphinScheduler to version 3.4.2 or later, which is the vendor-confirmed fix per the Apache advisory (https://dolphinscheduler.apache.org) and oss-security disclosure (https://seclists.org/oss-sec/2026/q2/958). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all systems running Apache DolphinScheduler and determine versions (pre-3.4.2 indicates exposure). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-41280 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy